Author: dupondje

Great! Native IPv6. Now all my computers/devices in my LAN have a public IP address!

So first of all think about security.
With IPv4 and NAT, all devices are not accessible directly because they have a private IP address.
Now with IPv6 all your devices receive a public IP address, and are available over the internet for everybody.

A good thing is that Tomato Toastman activates ip6tables for your whole LAN.
So everything is closed down at the router level! Great!

But of course you might want to open like SSH to your local computer, or connectivity to your NAS.
Easy, just:

1

ip6tables-IINPUT-dMyIPv6Address-jACCEPT

This works fine, but not in the case where your ISP thinks its needed to give out a dynamic prefix.
As the full IPv6 address will change every time, its not possible to add such a rule to your ip6tables.

Searching on the internet for a possible solution, I found out the ‘EUI64’ module in ip6tables.
But after some testing/source code checking it was clear this module was not made for this case.
The module only checks the source MAC address and the EUI64 of the source IP and checks if it matches.
Its made to beat spoofing/unauthorized IP’s in your network.

So we mailed to the netfilter mailing list for a possible solution.
And guess what, its already possible by default, but not documented.

Lets take you want to allow traffic to your computer with MAC address ‘a1:a3:be:89:93:af’.
If you use SLAAC your IP will be: Prefix:a3a3:beff:fe89:93af.
Now to allow traffic to this you can use the following ip6tables rule:

1

ip6tables-IINPUT-d::a3a3:beff:fe89:93af/::ffff:ffff:ffff:ffff-jACCEPT

No more changes to your rules if your Prefix changes. It just keeps working!

After I finally had IPv6 in my network I started to configure everything perfectly.
So first of all: What address does the clients receive?

My Linksys E3000 router runs on Toastman Tomato.
This custom firmware has everything included to support IPv6 correctly.

Now I noticed my computer in the LAN received 2 IPv6 addresses out of the /64 range that was announced by the router.
I got 1 DHCPv6 address, and 1 SLAAC address.

DHCPv6?DHCPv6 works exactly the same as DHCP for IPv4.
The client computer asks for an IP, and the DHCPv6 daemon gives you an IPv6 to assign.
Also DNS servers are passed to the client.

Stateless address autoconfiguration aka SLAAC
This is something new in the world of IPv6.
As a IPv6 address is 128 bits, and subnets are (normally) a /64, then we can use the device’s MAC address for the last 64 bits.
And this is how SLAAC works.

The router sends RA (Router Advertisement) messages to the network with just the prefix (first 64 bits).
Your client in the LAN receives this message and generates a EUI64 from its MAC address.
This part is then added to the announced prefix, and there we have our IPv6 address.

What to choose?You now need to decide what to choose. Will I use DHCPv6 ? Or will I use SLAAC?

SLAAC+ All clients support this
+ Easy config, no states
– Privacy (as the MAC address is included in the IPv6 address, everybody can check your MAC address and thus reveal information of your device)
– No support for passing DNS (RDNSS got added later)

DHCPv6+ Privacy (random IP’s are assigned)
+ You can use a small range to assign to some clients (for example make DHCP reservation for some clients and allow that range to connect to your server)
– Not all devices support this (Android for example does NOT support DHCPv6!)
– Can’t pass routes

So as you see, both have its pro’s and con’s.
But you can combine both by setting some bits (M/O and A-bit).
See the image below:

In my case I chose for SLAAC to assign addresses in my network and set the routing.
And then use DHCPv6 to tell clients which DNS server to use.

But Tomato uses by default the following dnsmasq setting:

1

2

enable-ra

dhcp-range=::1,::FFFF:FFFF,constructor:br*,ra-names,64,12h

This causes the router to set the A-bit and the M-bit.
So we have 2 IPv6 IP’s.

As it wasn’t possible to fix this by default in Tomato, I patched the code and added an option to enable/disable DHCPv6/SLAAC.
So now you will have 3 options:

1) SLAAC only (but DHCPv6 for DNS)

1

2

enable-ra

dhcp-range=::,constructor:br*,ra-names,ra-stateless,64,12h

2) DHCPv6 only (but RA for route)

1

2

enable-ra

dhcp-range=::1,::FFFF:FFFF,constructor:br*,64,12h

3) SLAAC & DHCPv6

1

2

enable-ra

dhcp-range=::1,::FFFF:FFFF,constructor:br*,ra-names,64,12h

In Tomato the options will look like this:

The patch I made to fix this will be sent to Tomato.
So I hope this option will be available soon for everybody

After using a SixXS tunnel for years, my ISP (Belgacom) finally started to deploy native IPv6 some months ago.
Of course we were happy there was finally native IPv6 support, but unfortunately it was only available for people with a new BBOX3 modem.

But after months, we finally got hold of a BBOX3 modem some days ago.

On my BBOX3 I connect my Linksys E3000 router which does all the routing & WiFi.
The E3000 also does the PPPoE connection so we have a public IP on our own router.

Now IPv6 isn’t activated directly when you connect a BBOX3 modem to it.
The provisioning at Belgacom activates it somewhere at a random time if it notices there is a BBOX3 connected.
But I got lucky, and IPv6 was activated after like 24 hours.